On December 23, 2015, hackers shut down an electric transmission station in Ukraine, just north of the nation's capital city Kiev, according to Wired. The attack, which flung 30 substations offline and left more than 230,000 residents of the Ivano-Frankivsk Region without power, was the first of its kind: Cybercriminals had never before targeted an entire electrical network. The impact of the attack still reverberates today, as politicians and public officials scramble to assemble the defenses required to protect critical service delivery infrastructure and prevent another digital assault of this kind. For instance, President Donald Trump recently took action to bolster digital grid protections, issuing an executive order requiring federal agencies to assess and improve power networks across the country, Utility Dive reported. Sadly, many cybersecurity analysts believe the Ukranian grid attack was simply an opening salvo, a small preview of larger strikes to come.
"The potential impact here is huge," Robert Lipovsky, an analyst at the Slovakian data security firm ESET, warned in an interview with Wired. "If this is not a wakeup call, I don't know what could be."
This state of affairs has left electric companies shaken, as they bear the burden of defending against and mitigating attacks. Utility Dive recently connected with 600 power professionals from the U.S. and Canada and asked them to highlight the most pressing issues affecting the industry – approximately 72 percent of respondents cited physical and cybersecurity as their primary concern. In fact, many are already weathering regular hacks, according to research from Verizon Wireless. Last year, cyberattackers targeted utility companies in 32 incidents and caused 16 reported breaches. While these strikes make up a small percentage of the more than 42,000 that occurred in 2016, they carry immense potential for disruption, as seen with the situation in Ukraine.
While the issue of cybersecurity may seem somewhat overwhelming to utilities, most can take action to protect their service infrastructure and keep their customers happy, even as hackers develop new attack vectors and search for network loopholes.
Understand the landscape
Utilities must first gain an understanding of the sector-specific cybersecurity landscape to effectively defend their digital and physical assets. The 2015 cyberattack in Ukraine offers great insight into how hackers targeting power grids are likely to operate now and in the future. Multiple data security firms performed analyses in the wake of the strike. The infrastructure cybersecurity firm Dragos offered the most in-depth evaluation of the attack, using threat assessment data from ESET and internal expertise to map out the hack in detail and evaluate the malicious software involved.
The attackers that carried out the strike used customized malware called BLACKENERGY 3, which allowed them to access internal networks for three different Ukranian power companies and the infiltrate supervisory control and data acquisition platforms. Once inside these backend systems, the cybercriminals used existing power distribution management controls to power down 30 substations and catalyze a blackout. Dragos also discovered the existence of another, more concerning, form of malware called CRASHOVERRIDE, which has the ability to automatically analyze industrial backend systems of any scale and pinpoint vulnerabilities ideal for attack. While the hackers who perpetrated the attack in Ukraine only used the malware in three instances, analysts believe this vector could be at the center of more wide-scale deployments designed to take down larger service infrastructure.
This report paints a concise picture of the threats power providers face and gives them actionable data on which to base defensive and mitigative data security measures.
Establish digital defenses
Utilities are now managing large digital networks to support an array of external industry-specific software and hardware solutions. Roughly 22 percent of electric companies host customer-facing mobile applications, according to data from Statista. Additionally, utilities in the U.S. are responsible for managing roughly 64.7 million advanced metering devices, the Energy Information Administration reported. On top of that, utilities themselves interact with these fixtures via outage management systems and other essential backend platforms, forming an interconnected web of networking infrastructure vulnerable to attack. Robust digital protections are required as a result.
The Edison Electric Institute advises power providers to install network monitoring systems, as well as user-centered features such as two-factor authentication. The former can help information technology pinpoint suspicious activity, while the former empowers system users to protect the endpoints under their control. The organization also encourages utilities to develop and deploy internal data security policies to accompany network defenses. While firewalls, monitoring platforms and the like certainly offer significant protection, employee behaviors often make or break data security programs. For instance, the malware like BLACKENERGY 3 and CRASHOVERRIDE most often enter company networks via malicious email funneled in through the worker inboxes. In fact, more than half of the breaches that occurred last year involved malware of some kind, Verizon Found.
On a positive note, most utilities understand the importance of installing data security protections and have invested heavily in the technology in recent years, according to EEI. Companies in the industry spent over $52 billion on cybersecurity programs in 2016. Of course, this figure will have to come up as more sophisticated attack vectors come into use.
While prevention is the ideal course of action when it comes to cybersecurity, the reality is penetrations are likely to occur no matter what kind of defensive backend technology is in place. System infiltration techniques simply evolve to quickly for these protections to work 100 percent of the time. Hackers developed roughly 60 million new types of malware last year alone, according to research from IT security company Sonic Wall. This necessitates a more realistic approach to data security – one involving the development of key attack mitigation protocols.
"Utilities spent over $52 billion on cybersecurity programs in 2016."
System backups are the centerpiece of most of these strategies, EEI found. When mission-critical applications go down, there must be other iterations stored elsewhere to pick up the slack. This kind of business continuity can operations up and running, even in the event that key systems have been compromised. On top of this, IT personnel must have the skills and tools needed to isolate infected parts of the network and contain the damage. An instance of effective threat mitigation should conclude with a post-incident review and forensic analysis to determine how the penetration happened and what can be done to prevent a repeat occurrence. Additionally, utilities in this position should abide by federal and state breach disclosure laws, as noncompliance can result in financial penalties or even legal action.
Work with trusted partners
American electric companies are taking part in an exciting technological shift, integrating new service delivery and customer service technology into field operations that has never been seen before in the history of the industry. There is immense opportunity for operational improvement across the board. However, implementing new technology such as smart meters or customers applications also means introducing new risk factors. With this in mind, utilities must operate with great care when upgrading their internal systems and work with partners they can truly trust, according to EEI.
As innovation in the space accelerates, many power providers will be tempted to go with the first hardware or software companies that can meet their operational and budgetary needs. This is an unwise modus operandi that can lay the groundwork for major cybersecurity woes. Here at dataVoice International, we recognize that utilities navigating IT modernization must implement systems strong enough to withstand cyberattackers and other outside actors threatening the stability of the American power grid. That's why electric companies across the country trust our ground-breaking solutions to not only bolster operational efficiency and improve customer satisfaction but also stand firm in the face of digital threats.
Is your utility prepared to adopt new, field-ready backend infrastructure? Contact dataVoice International today to learn about our outage management platform and mobile applications for customers and field crews.